[Bug 1537762] Re: syncrepl does not work when using tls
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Just confirmed, changing the ldap server's cipher suite to the one that works in testing with gnutls-cli gets syncrepl going. I've attached the ldif file I used to fix ldap, I needed to restart slapd afterwards. Use the following command to apply, as root, on the server: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f fixtls.ldif Of course dont blindly apply. ** Attachment added: "LDIF to change olcTLSCipherSuite" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+attachment/4625309/+files/fixtls.ldif -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
I've just run into this issue. Running the test with gnutls-cli with only SECURE256, we see the same issue, but our certs do have a good signing algorithm, "Signature Algorithm: sha256WithRSAEncryption". What's weird to me, and maybe I dont understand just how significant the order of the cipher suite is, but before this issue, we've configured ldap with the following cipher suite list: SECURE128:SECURE256:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.1 That list fails with gnutls-cli, but if I change the list to the following, it works: SECURE256:SECURE128:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Perhaps the issue is that your certificates have too short RSA keys. In GnuTLS SECURE256 requires at least 3072-bit public key. Unfortunately, this is not clearly documented. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Thanks for the pointers (I have no idea why I failed to find the gnutls26 bug yesterday when I looked) bug 1533230 comment #12 (https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/comments/12) seems to be the same problem as I'm having. Using the command: gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256:+SIGN-RSA- SHA224:+SIGN-DSA-SHA224' works but gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256' does not work and gives an error of *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Our slapd.conf file contained a TLSCipherSuite SECURE256:-VERS-SSL3.0 which I think explains where syncrepl fails but ldapsearch still works as it will use a SECURE128 cipher I don't understand why I now need to add specific signature algorithms to list now though? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Please also have a look at https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230 (thanks to sarnold for the pointer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Hi Ian, I found https://stathers.net/2016/01/14/thawte-premium-ssl- md5-gnutls.html but it would be surprising if that broke syncrepl but not ldapsearch. Still, worth checking if you haven't already. (ldapsearch and syncrepl are using the same CA certificate, right?) Is there any interesting output if you run the consumer slapd at a higher debug level? Separate from slapd, are gnutls-serv/gnutls-cli able to communicate using the same certificates? ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs